Ethical Hacking News
A sophisticated threat actor has been identified as targeting critical identity and network access control infrastructure using zero-day exploits in Cisco ISE and Citrix NetScaler products. The attack campaign highlights the growing trend of threat actors focusing on such systems to bypass authentication and gain unauthorized access to networks.
Threat actors targeted critical identity and network access control infrastructure using unknown vulnerabilities in Cisco ISE and Citrix NetScaler ADC products. The attack campaign used multiple zero-day exploits to bypass authentication, gaining unauthorized access to the network. The vulnerabilities had a CVSS score of 9.3 and 10.0, indicating high severity. The attackers used bespoke tools to operate entirely in memory, evading detection with custom-built backdoors and DES encryption. Organizations must implement adequate measures to protect themselves against such attacks, including regular vulnerability assessments, penetration testing, and maintaining up-to-date software versions.
Amazon's threat intelligence team has revealed a sophisticated attack campaign that leveraged two previously unknown vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products to deliver custom malware. The attack, which was uncovered by Amazon's MadPot honeypot network, highlights the growing trend of threat actors targeting critical identity and network access control infrastructure.
According to CJ Moses, CISO of Amazon Integrated Security, "This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure – the systems enterprises rely on to enforce security policies and manage authentication across their networks." The attack was characterized as indiscriminate, with the threat actor using multiple zero-day exploits to bypass authentication and gain unauthorized access to the network.
The vulnerabilities in question, CVE-2025-5777 (Citrix Bleed 2) and CVE-2025-20337, were both identified as having a CVSS score of 9.3 and 10.0 respectively. The former vulnerability was found to be an insufficient input validation vulnerability in Citrix NetScaler ADC and Gateway that could be exploited by an attacker to bypass authentication. The latter vulnerability was discovered to be an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow a remote attacker to execute arbitrary code on the underlying operating system as root.
The attack campaign, which was described by Amazon as "highly resourced," utilized bespoke tools to operate entirely in memory, using Java reflection to inject itself into running threads. The web shell also registered as a listener to monitor all HTTP requests across the Tomcat server and implemented DES encryption with non-standard Base64 encoding to evade detection.
The use of custom-built backdoors specifically designed for Cisco ISE environments underscores the threat actor's advanced knowledge of enterprise Java applications, Tomcat internals, and the inner workings of Cisco ISE. Moses noted that "This wasn't typical off-the-shelf malware, but rather a custom-built backdoor specifically designed for Cisco ISE environments."
The campaign was characterized as indiscriminate, with Amazon describing the threat actor as "highly resourced" owing to its ability to leverage multiple zero-day exploits, either by possessing advanced vulnerability research capabilities or having potential access to non-public vulnerability information. The findings once again illustrate how threat actors are continuing to target network edge appliances to breach networks of interest, making it crucial that organizations limit access, through firewalls or layered access, to privileged management portals.
"The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected," Moses said. "This underscores the importance of implementing comprehensive defense-in-depth strategies and developing robust detection capabilities that can identify unusual behavior patterns."
In light of this attack, it is essential for organizations to review their security posture and ensure they have implemented adequate measures to protect themselves against such attacks. This includes regular vulnerability assessments, penetration testing, and maintaining up-to-date software versions.
Related Information:
https://www.ethicalhackingnews.com/articles/Ambush-from-Behind-Amazon-Uncovers-Advanced-Threat-Actor-Exploiting-Zero-Day-Flaws-in-Cisco-ISE-and-Citrix-NetScaler-ehn.shtml
https://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.html
https://www.bleepingcomputer.com/news/security/hackers-exploited-citrix-cisco-ise-flaws-in-zero-day-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-5777
https://www.cvedetails.com/cve/CVE-2025-5777/
https://nvd.nist.gov/vuln/detail/CVE-2025-20337
https://www.cvedetails.com/cve/CVE-2025-20337/
Published: Wed Nov 12 08:37:01 2025 by llama3.2 3B Q4_K_M
